2 min read

bitwarden-rs安装笔记

#环境:

debian9
oneinstack(NGINX+PHP+fail2ban+backup.sh修改版)

#说明:

使用docker安装bitwarden-rs
修改oneinstack的自动备份,用来备份bitwarden-rs文件(dorpbox)
添加robots.txt禁止搜索引擎抓取
配置fail2ban防止爆破

#安装DOCKER&bitwarden-rs:

#参考内容:https://wzfou.com/bitwarden-rs/
#卸载
sudo apt-get remove docker docker-engine docker.io containerd runc
#SET UP THE REPOSITORY
sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
#检测是否安装成功
sudo apt-key fingerprint 0EBFCD88

#添加stable repository
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
#开始安装
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
#验证 Docker Engine - Community是否安装正确
sudo docker run hello-world

#安装 Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
#检测是否安装成功
docker-compose --version

#如果提示命令不存在,可以手动创建链接
#sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

#bitwarden_rs安装
docker pull bitwardenrs/server:latest

#BITWARDEN_RS 启动
docker run -d --name bitwarden -v /bw-data/:/data/ -p 8880:80 bitwardenrs/server:latest

#配置NGINX文件

#这里假设使用域名:x.mashaji.cc
#oninstack配置文件地址:/usr/local/nginx/conf/vhost/x.mashaji.cc.conf
#把robots.txt文件放在/data/wwwroot/x.mashaji.cc

============robots.txt文件内容
User-agent: *
Disallow: /
================

=======================NGINX配置

  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
  
   client_max_body_size 128M;
    location / {
        proxy_set_header  Host  'x.mashaji.cc';
        proxy_pass http://127.0.0.1:8880;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
    location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    }
    location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8880;
    }
    location = /robots.txt {
    root /data/wwwroot/x.mashaji.cc;
    }
=====================================
#重新加载配置
nginx -t; nginx -s reload

#bitwarden-rs配置

#登录x.mashaji.cc创建账号,后面会关闭账号注册
#关闭BITWARDEN.禁止注册。SIGNUPS_ALLOWED=false
#自动重启。restart=always
#日志文件 -e LOG_FILE=/data/bitwarden.log
#时区:-e "TZ=Asia/Shanghai"
#配置fail2ban需要时间同步,开启日志文件
docker stop bitwarden
docker rm bitwarden
docker run -d --name bitwarden -e "TZ=Asia/Shanghai" -e LOG_FILE=/data/bitwarden.log -e WEBSOCKET_ENABLED=true -e SIGNUPS_ALLOWED=false -v /bw-data/:/data/ -p 8880:80 -p 3012:3012 --restart=always bitwardenrs/server:latest

#fail2ban配置bitwarden_rs防爆破

#参考地址:https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup
#fail2ban配置文件地址:/etc/fail2ban/jail.local
#bitwarden_rs日志文件地址:/bw-data/bitwarden.log
#fail2ban配置关键点。要配置DOCKER的时区和开启日志。参考上一步的启动参数

#配置filter
nano /etc/fail2ban/filter.d/bitwarden.local

============bitwarden.local文件内容
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
============

#配置Jail
nano /etc/fail2ban/jail.d/bitwarden.local

============bitwarden.local文件内容
[bitwarden]
enabled = true
port = 80,443,8081
filter = bitwarden
action = iptables-allports[name=bitwarden]
logpath = /bw-data/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
============

#重启fail2ban
systemctl restart fail2ban.service
#可以尝试自己输错3次密码。就会无法访问

#修改ONEINSTACK备份脚本,用来备份bitwarden-rs(dropbox)

#备份目录:/bw-data
#注意!修改过后dorpbox不能用来备份其他网站了!

cd oneinstack
./backup_setup.sh
================生成配置
9 - Dropbox
2 - Only Website
#Please enter a valid backup number of days:
#保留天数
7
x.mashaji.cc
====================

#加入计划任务
crontab -e
=========添加以下内容。(每日凌晨1点备份)
0 1 * * * /root/oneinstack/backup.sh  > /dev/null 2>&1 &
=========

#计划任务生效
/etc/init.d/cron restart

#修改(/root/oneinstack/)backup.sh文件。指定目录备份
====backup.sh===305行:
tar czf ${PUSH_FILE} ./$W
修改为:
tar czPf ${PUSH_FILE} /bw-data
===========
#测试,运行后去dropbox查看文件即可
./backup.sh